Sandboxed application data redirection to datacenters

ABSTRACT

Technologies are generally described to redirect data from application sandboxes to datacenters. In some examples, an application operating in an application sandbox may exchange data with an application data store, such as a file or a directory, also located in the sandbox. The data store may then exchange data with a datacenter at a particular geographic locale over a network connection established by a sandbox data servicer module. The network connection may be periodically updated to connect the data store with different datacenters at different geographic locales based on geographic information associated with the application, a device on which the application executes, the datacenters, and/or the exchanged data.

BACKGROUND

Unless otherwise indicated herein, the materials described in thissection are not prior art to the claims in this application and are notadmitted to be prior art by inclusion in this section.

The placement and management of geospatial data, or data associated withspecific geographic locations, has come into focus as use of mobiledevices and cloud services become more widespread. Geospatial data maybe available from numerous sources, in many diverse and heterogeneousformats and structures, and may be compiled using various geospatialdata collection techniques. As such, it may be desirable to assure thatthe various sources of potential geospatial data, such as userapplications, interact with the geographically-appropriate datacenters.

Geospatial data processing and management, although fairly complicated,may be reasonably implemented by large companies with their commensurateresources. However, user application developers are becoming smaller asapplication development becomes easier and simpler. Such smallerdevelopers may lack the resources larger companies do, and may find itdifficult to take advantage of geospatial data processing.

SUMMARY

The present disclosure generally describes techniques to redirect datafrom application sandboxes to datacenters.

According to some examples, methods are provided to redirect data froman application sandbox to datacenters. An example method may includeexecuting an application in an application sandbox at a first device andestablishing a network connection between a sandboxed data store in theapplication sandbox and a first datacenter at a first geographiclocation. The method may further include exchanging a first data betweenthe application and the sandboxed data store and exchanging the firstdata between the sandboxed data store and the first datacenter via thenetwork connection.

According to other examples, devices are provided to redirect data froman application sandbox to datacenters. An example device may include amemory, a sandboxing module configured to provide an application sandboxand a sandboxed data store in the memory, and a processing module. Theprocessing module may be configured to execute an application in theapplication sandbox and establish a network connection between thesandboxed data store and a first datacenter at a first geographiclocation. The processing module may be further configured to exchange afirst data between the application and the sandboxed data store andexchange the first data between the sandboxed data store and the firstdatacenter via the network connection.

According to further examples, methods are provided for geo-spatial loadbalancing and data management across datacenters. An example method mayinclude receiving application information associated with an applicationbeing executed in a device sandbox, determining, based on theapplication information and geospatial information associated withmultiple datacenters, a destination datacenter selected from themultiple datacenters, and updating the application based on thedestination datacenter.

According to yet further examples, a geo-manager module is provided toredirect data from application sandboxes to datacenters. The geo-managermodule may include a memory configured to store geospatial informationassociated with multiple datacenters and a processing module. Theprocessing module may be configured to receive application informationassociated with an application being executed in a device sandbox,determine, based on the application information and the geospatialinformation, a destination datacenter selected from the multipledatacenters, and provide an update for the application based on thedestination datacenter.

The foregoing summary is illustrative only and is not intended to be inany way limiting. In addition to the illustrative aspects, embodiments,and features described above, further aspects, embodiments, and featureswill become apparent by reference to the drawings and the followingdetailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other features of this disclosure will become morefully apparent from the following description and appended claims, takenin conjunction with the accompanying drawings. Understanding that thesedrawings depict only several embodiments in accordance with thedisclosure and are, therefore, not to be considered limiting of itsscope, the disclosure will be described with additional specificity anddetail through use of the accompanying drawings, in which:

FIG. 1 illustrates an example datacenter-based system where dataredirection from sandboxed applications may be implemented;

FIG. 2 illustrates an example device where application sandboxing may beimplemented;

FIG. 3 illustrates an example system where data from applicationsandboxes may be redirected to datacenters;

FIG. 4 illustrates an example process for a device to update networkconnections for data redirection from application sandboxes todatacenters;

FIG. 5 illustrates an example process for a geo-manager module to updatenetwork connections for application sandbox data redirection frommultiple users and multiple applications to datacenters;

FIG. 6 illustrates a general purpose computing device, which may be usedto redirect data from application sandboxes to datacenters;

FIG. 7 is a flow diagram illustrating an example method to redirect datafrom application sandboxes that may be performed by a computing devicesuch as the computing device in FIG. 6; and

FIG. 8 illustrates a block diagram of an example computer programproduct, all arranged in accordance with at least some embodimentsdescribed herein.

DETAILED DESCRIPTION

In the following detailed description, reference is made to theaccompanying drawings, which form a part hereof. In the drawings,similar symbols typically identify similar components, unless contextdictates otherwise. The illustrative embodiments described in thedetailed description, drawings, and claims are not meant to be limiting.Other embodiments may be utilized, and other changes may be made,without departing from the spirit or scope of the subject matterpresented herein. The aspects of the present disclosure, as generallydescribed herein, and illustrated in the Figures, can be arranged,substituted, combined, separated, and designed in a wide variety ofdifferent configurations, all of which are explicitly contemplatedherein.

This disclosure is generally drawn, inter alia, to methods, apparatus,systems, devices, and/or computer program products related toredirection of data from application sandboxes to datacenters.

Briefly stated, technologies are generally described to redirect datafrom application sandboxes to datacenters. In some examples, anapplication operating in an application sandbox may exchange data withan application data store, such as a file or a directory, also locatedin the sandbox. The data store may then exchange data with a datacenterat a particular geographic locale over a network connection establishedby a sandbox data servicer module. The network connection may beperiodically updated to connect the data store with differentdatacenters at different geographic locales based on geographicinformation associated with the application, a device on which theapplication executes, the datacenters, and/or the exchanged data.

A datacenter as used herein refers to an entity that hosts services andapplications for customers through one or more physical serverinstallations and one or more virtual machines executed in those serverinstallations. Customers of the datacenter, also referred to as tenants,may be organizations that provide access to their services for multipleusers.

FIG. 1 illustrates an example datacenter-based system where dataredirection from sandboxed applications may be implemented, arranged inaccordance with at least some embodiments described herein.

As shown in a diagram 100, a physical datacenter 102 may include one ormore physical servers 110, 111, and 113, each of which may be configuredto provide one or more virtual machines 104. For example, the physicalservers 111 and 113 may be configured to provide four virtual machinesand two virtual machines, respectively. In some embodiments, one or morevirtual machines may be combined into one or more virtual datacenters.For example, the four virtual machines provided by the server 111 may becombined into a virtual datacenter 112. The virtual machines 104 and/orthe virtual datacenter 112 may be configured to provide cloud-relateddata/computing services such as various applications, data storage, dataprocessing, or comparable ones to a group of customers 108, such asindividual users or enterprise customers, via a cloud 106.

As described above, many application developers may lack the resourcesto take advantage of geospatial data processing. To address this issue,entities that have the resources to perform geospatial data processing,such as the large companies mentioned above, may provide geospatial datainterfaces configured to couple to individual applications. Sandboxeddata files or directories associated with individual applications maythen serve as data “pipes” for transferring data between the individualapplications and various datacenters through these geospatial datainterfaces. As a result, application developers who wish to buildapplications that take advantage of geospatial data processing may notneed to deal with the complexities involved in geospatial datamanagement. Instead, application developers may rely on the expertise oflarger geospatial data service providers. Moreover, since sandboxing canbe implemented at the operating system level instead of the applicationlevel, any given application may be provided with geospatial dataprocessing capability simply by executing the application on a devicewith an operating system that supports sandboxing. Even older or legacysoftware applications not originally designed for network-basedinteractions may be provided with geospatial data processing simply byexecuting them on a platform that provides sandboxing.

FIG. 2 illustrates an example device where application sandboxing may beimplemented, arranged in accordance with at least some embodimentsdescribed herein.

According to a diagram 200, a computing device 202, such as a desktop ormobile computer, a tablet computer, a smartphone, or any other suitablecomputing device, may execute a number of different applications. Insome embodiments, the computing device 202 may execute an individualapplication in an application sandbox. As used herein, an applicationsandbox may refer to a set of controls that determines what a particularapplication can do in a system, and may be implemented at the operatingsystem level or the application level. For example, the operating systemof the computing device 202 may implement an application sandbox tolimit an application's access to files, preferences, network resources,and/or hardware at the computing device 202. In the diagram 200, thecomputing device 202 may execute a first application 208 in a firstapplication sandbox 204, a second application in a second applicationsandbox 220, and a third application in a third application sandbox 230.Each of the application sandboxes 204, 220, and 230 may include theassociated application as well as any files or memory locations that theassociated application can access. For example, the first applicationsandbox 204 may include a first application directory 206 that containsthe first application 208 as well as a documents directory 210, alibrary directory 212, and a temporary directory 214. In other examples,some or all of these elements may be kept separate, for example, theoperating system may keep executable application 208 outside sandbox 204to prevent the application changing its executable code.

In some embodiments, application sandboxing may allow each applicationon a computing device to see the same file structure, but actually haveeach application interact with different, sandboxed versions of thevarious directories or data files. For example, both the firstapplication 208 in the first application sandbox 204 and the secondapplication in the second application sandbox 220 may have access to a“documents” directory. However, the first application 208 may write toand read from its own version of the “documents” directory (thedocuments directory 210) and the second application may access its own,different version of the “documents” directory, located in the secondapplication sandbox 220. The different versions of the directories mayin fact be virtual data stores in system memory or storage managed bythe operating system of the computing device 202. As a result, any givensandboxed application may only modify data and settings within its ownsandbox, and may not modify data and settings belonging to otherapplications on the computing device 202.

FIG. 3 illustrates an example system where data from applicationsandboxes may be redirected to datacenters, arranged in accordance withat least some embodiments described herein.

As shown in a diagram 300, the computing device 202 may execute thefirst application 208 in the first application sandbox 204. Duringexecution, the first application 208 may have read/write access to oneor more sandbox directories or data files 302. For example, thedirectories/files 302 may include the documents directory 210, thelibrary directory 212, the temporary directory 214, and/or any othersuitable directories or files. Since the directories/files 302 aresandbox directories/files, the device 202 may treat thedirectories/files 302 as virtual data stores, and may isolate datawritten to the directories/files 302 by the first application 208 fromother directories or files at the device 202.

As mentioned above, sandboxed directories or data files associated witha sandboxed application may serve as data “pipes” coupling the sandboxedapplication to various datacenters for geospatial data processing andmanagement. In some embodiments, a geo-manager module 310 may providegeospatial data management for the device 202. The geo-manager module310 may manage multiple datacenters, such as a first datacenter 320, asecond datacenter 330, and/or a third datacenter 340, each located in adifferent geographic locale. In some embodiments, the geo-manager module310 may be located or implemented at one of the datacenters or at anentirely separate location. As part of the geospatial data managementprocess, the geo-manager module 310 may determine a suitable destinationdatacenter for geospatial data from the device 202 or the firstapplication 208 based on one or more parameters. For example, thegeo-manager module 310 may select one of the datacenters 320, 330, or340 as a destination datacenter for the device 202 or the firstapplication 208 based on the geographic location of the device 202, thefirst application 208, and/or the datacenters 320, 330, or 340. In someembodiments, the geo-manager module 310 may select the destinationdatacenter based on a type or contents of the geospatial data to betransferred.

To establish the actual connection between the destination datacenterand the device 202 and/or first application 208, the geo-manager module310 may communicate with a sandbox data servicer 304 being executed atthe device 202. For example, the geo-manager module 310 may provideinformation about the destination datacenter to the sandbox dataservicer 304. The destination datacenter information may be provided inthe form of an application programming interface (API) message, aJavaScript Object Notation (JSON) object, an Extensible Markup Language(XML) object, and/or any other suitable message or object. The sandboxdata servicer 304 may then establish network connections for dataexchange between the sandbox directories/files 302 and the datacenters320, 330, and 340. For example, the sandbox data servicer 304 may beconfigured to establish connections between the directories/files 302and one or more of the datacenters 320, 330, and 340 via a network,represented by the cloud 106. Subsequently, all or some data written tothe sandbox directories/files 302 by the first application 208 may betransferred, via the established network connections, to the appropriatedestination datacenter, where geospatial data processing and managementmay occur. Data may also be written to the sandbox directories/files 302by the destination datacenter via the network connections for the firstapplication 208 to read. This may allow application developers to takeadvantage of geospatial data processing and management provided by otherentities merely by implementing or using application sandboxes. In someembodiments, the data transferred over the network connections in eitheror both directions may be encrypted or otherwise secured to provideadditional security.

As described above, the sandbox data servicer 304 may establish anetwork connection between a destination datacenter and the sandboxdirectories/files associated with one application on the device 202, anddifferent applications may be connected to different datacenters. Insome embodiments, sandbox directories/files associated with multipleapplications may be connected to the same destination datacenter. Inother embodiments, one sandbox directory/file associated with anapplication may be connected to one destination datacenter, whileanother sandbox directory/file associated with the same application maybe connected to another destination datacenter. Some sandboxeddirectories/files may not be connected to any datacenters, and mayremain isolated. For example, the sandboxed directories/files associatedwith a particular application executing on the device 202 may not beconnected to any datacenters. In some embodiments, some sandboxeddirectories/files associated with an application may be connected todatacenters, and other sandboxed directories/files associated with thesame application may be isolated from all datacenters.

In some embodiments, a geo-manager module 310 operating in conjunctionwith the sandbox data servicer 304 may periodically update the networkconnections between the sandboxed directories/files 302 and the variousdatacenters. The network connections may be updated if one or moreparameters associated with the device 202, the applications executing onthe device 202, the data being exchanged over the network connection,the cloud 106, and/or the datacenters 320, 330, and 340 change. Forexample, network connections may be updated when the device 202 moves toa different geographic location, when the device 202 begins or haltsexecution of one or more applications, when the type, format, or contentof data being exchanged changes, and/or when datacenters come online orgo offline. The geo-manager module 310 may update the networkconnections by providing updated destination datacenter information tothe sandbox data servicer 304 in the form of an API message, a JSON/XML,object, or in any other suitable format. Subsequently, the sandbox dataservicer 304 may update network connections from the sandboxeddirectories/files 302 to reflect the updated destination datacenterinformation. For example, in response to receiving updated destinationdatacenter information indicating the second datacenter 330 as the newdestination, the sandbox data servicer 304 may change a networkconnection ending at the first datacenter 320 to end at the seconddatacenter 330.

In some embodiments, ongoing communication between the sandboxeddirectories/files 302 and the original destination datacenter may bemaintained during a switch to the updated destination datacenter. Forexample, the sandboxed directories/files 302 may initially communicatewith the first datacenter 320 in a first session. As the networkconnection is updated to end at the second datacenter 330 instead of thefirst datacenter 320, the sandbox data servicer 304 may maintain thesame first session such that the datacenter switch is transparent to thesandboxed directories/files 302. In some embodiments, the geo-managermodule 310 may assist in maintaining the first session by sending keysor session information when providing network connection updates.

FIG. 4 illustrates an example process 400 for a device to update networkconnections for data redirection from application sandboxes todatacenters, arranged in accordance with at least some embodimentsdescribed herein.

The process 400 may begin at an operation 402 (TRANSFER SANDBOX DATATO/FROM SELECTED DATACENTER), where a sandbox data servicer module(e.g., the sandbox data servicer 304) may transfer data between asandboxed data store (e.g., the sandboxed directories/files 302) and aselected destination datacenter. At a next operation 404 (NEW CONNECTIONUPDATE?), a sandbox data servicer module (e.g., the sandbox dataservicer 304) may determine whether a new connection update has beenreceived. For example, the sandbox data servicer module may receive newconnection updates from a geo-manager module (e.g., the geo-managermodule 310) based on parameter changes associated with the application,device, and/or datacenters. In response to determining that no newconnection updates have been received, the sandbox data servicer modulemay return to the operation 402 and continue transferring data betweenthe sandboxed data store and the selected destination datacenter.

On the other hand, in response to determining that a new connectionupdate has been received, at a next operation 406 (RECEIVE NEWCONNECTION INFORMATION), the sandbox data servicer module may receivethe new connection information, for example, in the form of an APImessage, a JSON/XML object, or any other suitable message or object. Ata next operation 408 (SET UP NEW NETWORK CONNECTION), the sandbox dataservicer module may set up the new network connection based on thereceived new connection information. For example, the sandbox dataservicer module may update a network connection to end at a newdestination datacenter. Subsequently, the sandbox data servicer modulemay return to the operation 402 and continue transferring data betweenthe sandboxed data store and the newly-updated destination datacenter.

FIG. 5 illustrates an example process 500 for a geo-manager module toupdate network connections for application sandbox data redirection frommultiple users and multiple applications to datacenters, arranged inaccordance with at least some embodiments described herein.

The process 500 may begin at an operation 502 (DECIDE WHICH DATACENTERAPPLICATION DATA TO BE SENT TO), where a geo-manager module (e.g., thegeo-manager 310) may decide which datacenter data from a particularapplication associated with a particular user should be sent to. Thegeo-manager module may perform the decision based on one or moreparameters associated with the application, the user, the data, and/orthe datacenters, such as geographic location, data type/format/content,time, network traffic, datacenter status, and/or any other suitableparameters. Subsequently, at an operation 504 (UPDATE SANDBOX DATASERVICE CONNECTION) the geo-manager module may update the sandbox dataservice connection. For example, the geo-manager module may provide anetwork connection update with new destination datacenter information toa sandbox data servicer module (e.g., the sandbox data servicer 304) atthe device executing the application.

At a next operation 506 (DONE WITH USER?), the geo-manager module maydetermine whether the user has any other applications to update. Inresponse to determining that the user has at least one other applicationto update, at an operation 508 (NEXT APPLICATION) the geo-manager modulemay switch to the next, un-updated application, then again iteratethrough the operations 502-504. In response to determining that the userdoes not have any other application to update, at an operation 510 (DONEWITH ALL USERS?) the geo-manager module may determine if any other usershave applications to update. In response to determining that there is atleast one other user with applications to update, at an operation 512(NEXT USER) the geo-manager may switch to the next user with un-updatedapplications, then again iterate through the operations 502-506. On theother hand, in response to determining that no other users haveapplications to update, at an operation 514 (GEO-MANAGEMENT STATECHANGED?) the geo-manager module may determine if geo-management statehas been changed. For example, geo-management state may change inresponse to users leaving or joining, new applications starting, usersmoving, running applications stopping, network load-balancing changes,geospatial data processing changes, or any other change in thegeo-manager module operating environment. In response to determiningthat geo-management state has changed, the geo-manager module may againiterate through the operations 502-510. On the other hand, in responseto determining that geo-management state has not changed, thegeo-manager module may again check if geo-management state has changedat a later time.

FIG. 6 illustrates a general purpose computing device, which may be usedto redirect data from application sandboxes to datacenters, arranged inaccordance with at least some embodiments described herein.

For example, the computing device 600 may be used to redirect data fromapplication sandboxes to datacenters as described herein. In an examplebasic configuration 602, the computing device 600 may include one ormore processors 604 and a system memory 606. A memory bus 608 may beused to communicate between the processor 604 and the system memory 606.The basic configuration 602 is illustrated in FIG. 6 by those componentswithin the inner dashed line.

Depending on the desired configuration, the processor 604 may be of anytype, including but not limited to a microprocessor (μP), amicrocontroller (μC), a digital signal processor (DSP), or anycombination thereof. The processor 604 may include one more levels ofcaching, such as a level cache memory 612, a processor core 614, andregisters 616. The example processor core 614 may include an arithmeticlogic unit (ALU), a floating point unit (FPU), a digital signalprocessing core (DSP Core), or any combination thereof. An examplememory controller 618 may also be used with the processor 604, or insome implementations, the memory controller 618 may be an internal partof the processor 604.

Depending on the desired configuration, the system memory 606 may be ofany type including but not limited to volatile memory (such as RAM),non-volatile memory (such as ROM, flash memory, etc.) or any combinationthereof. The system memory 606 may include an operating system 620, anapplication sandbox module 622, and program data 624. The applicationsandbox module 622 may include a sandbox data servicer module 626 toimplement network connections between application sandboxes anddatacenters as described herein. The program data 624 may include, amongother data, a sandboxed data store 628 or the like, as described herein.

The computing device 600 may have additional features or functionality,and additional interfaces to facilitate communications between the basicconfiguration 602 and any desired devices and interfaces. For example, abus/interface controller 630 may be used to facilitate communicationsbetween the basic configuration 602 and one or more data storage devices632 via a storage interface bus 634. The data storage devices 632 may beone or more removable storage devices 636, one or more non-removablestorage devices 638, or a combination thereof. Examples of the removablestorage and the non-removable storage devices include magnetic diskdevices such as flexible disk drives and hard-disk drives (HDD), opticaldisk drives such as compact disk (CD) drives or digital versatile disk(DVD) drives, solid state drives (SSD), and tape drives to name a few.Example computer storage media may include volatile and nonvolatile,removable and non-removable media implemented in any method ortechnology for storage of information, such as computer readableinstructions, data structures, program modules, or other data.

The system memory 606, the removable storage devices 636 and thenon-removable storage devices 638 are examples of computer storagemedia. Computer storage media includes, but is not limited to, RAM, ROM,EEPROM, flash memory or other memory technology, CD-ROM, digitalversatile disks (DVD), solid state drives, or other optical storage,magnetic cassettes, magnetic tape, magnetic disk storage or othermagnetic storage devices, or any other medium which may be used to storethe desired information and which may be accessed by the computingdevice 600. Any such computer storage media may be part of the computingdevice 600.

The computing device 600 may also include an interface bus 640 forfacilitating communication from various interface devices (e.g., one ormore output devices 642, one or more peripheral interfaces 644, and oneor more communication devices 666) to the basic configuration 602 viathe bus/interface controller 630. Some of the example output devices 642include a graphics processing unit 648 and an audio processing unit 650,which may be configured to communicate to various external devices suchas a display or speakers via one or more A/V ports 652. One or moreexample peripheral interfaces 644 may include a serial interfacecontroller 654 or a parallel interface controller 656, which may beconfigured to communicate with external devices such as input devices(e.g., keyboard, mouse, pen, voice input device, touch input device,etc.) or other peripheral devices (e.g., printer, scanner, etc.) via oneor more I/O ports 658. An example communication device 666 includes anetwork controller 660, which may be arranged to facilitatecommunications with one or more other computing devices 662 over anetwork communication link via one or more communication ports 664. Theone or more other computing devices 662 may include servers at adatacenter, customer equipment, and comparable devices.

The network communication link may be one example of a communicationmedia. Communication media may be embodied by computer readableinstructions, data structures, program modules, or other data in amodulated data signal, such as a carrier wave or other transportmechanism, and may include any information delivery media. A “modulateddata signal” may be a signal that has one or more of its characteristicsset or changed in such a manner as to encode information in the signal.By way of example, and not limitation, communication media may includewired media such as a wired network or direct-wired connection, andwireless media such as acoustic, radio frequency (RF), microwave,infrared (IR) and other wireless media. The term computer readable mediaas used herein may include both storage media and communication media.

The computing device 600 may be implemented as a part of a generalpurpose or specialized server, mainframe, or similar computer thatincludes any of the above functions. The computing device 600 may alsobe implemented as a personal computer including both laptop computer andnon-laptop computer configurations.

FIG. 7 is a flow diagram illustrating an example method to redirect datafrom application sandboxes that may be performed by a computing devicesuch as the computing device in FIG. 6, arranged in accordance with atleast some embodiments described herein.

Example methods may include one or more operations, functions or actionsas illustrated by one or more of blocks 722, 724, 726, and/or 728, andmay in some embodiments be performed by a computing device such as thecomputing device 600 in FIG. 6. The operations described in the blocks722-728 may also be stored as computer-executable instructions in acomputer-readable medium such as a computer-readable medium 720 of acomputing device 710.

An example process to redirect data from application sandboxes todatacenters may begin with block 722, “EXECUTE AN APPLICATION IN ASANDBOX AT A DEVICE”, where an application (e.g., the first application208) may be executed in an application sandbox (e.g., the firstapplication sandbox 204) at a device (e.g., the computing device 202).

Block 722 may be followed by block 724, “ESTABLISH A NETWORK CONNECTIONBETWEEN A SANDBOXED DATA STORE IN THE SANDBOX AND A DATACENTER AT APARTICULAR GEOGRAPHIC LOCALE”, where a network connection may beestablished between a sandboxed data store (e.g., the sandboxeddirectories/files 302) and a datacenter at a particular geographiclocale, as described above. The network connection may be established bya geo-manager module (e.g., the geo-manager module 310) operated inconjunction with a sandbox data servicer module (e.g., the sandbox dataservicer 304). For example, the sandbox data servicer module may receiveinformation from the geo-manager module about a destination datacenter.The sandbox data servicer module may then set up a network connectionbetween the sandboxed data store and the destination datacenter usingthe received information.

Block 724 may be followed by block 726, “EXCHANGE DATA BETWEEN THEAPPLICATION AND THE SANDBOXED DATA STORE”, where the application mayread data from or write data to the sandboxed data store, as describedabove.

Finally, block 726 may be followed by block 728, “EXCHANGE DATA BETWEENTHE SANDBOXED DATA STORE AND THE DATACENTER”, where the sandbox dataservicer module may exchange data between the sandboxed data store andthe destination datacenter via the established network connection, asdescribed above.

FIG. 8 illustrates a block diagram of an example computer programproduct, arranged in accordance with at least some embodiments describedherein.

In some examples, as shown in FIG. 8, a computer program product 800 mayinclude a signal bearing medium 802 that may also include one or moremachine readable instructions 804 that, when executed by, for example, aprocessor may provide the functionality described herein. Thus, forexample, referring to the processor 604 in FIG. 6, the applicationsandbox module 622 may undertake one or more of the tasks shown in FIG.8 in response to the instructions 804 conveyed to the processor 604 bythe medium 802 to perform actions associated with redirecting data fromapplication sandboxes as described herein. Some of those instructionsmay include, for example, to execute an application in a sandbox at adevice, to establish a network connection between a sandboxed data storein the sandbox and a datacenter at a particular geographic locale, toexchange data between the application and the sandboxed data store,and/or to exchange data between the sandboxed data store and thedatacenter, according to some embodiments described herein.

In some implementations, the signal bearing media 802 depicted in FIG. 8may encompass computer-readable media 806, such as, but not limited to,a hard disk drive, a solid state drive, a Compact Disc (CD), a DigitalVersatile Disk (DVD), a digital tape, memory, etc. In someimplementations, the signal bearing media 802 may encompass recordablemedia 807, such as, but not limited to, memory, read/write (R/W) CDs,R/W DVDs, etc. In some implementations, the signal bearing media 802 mayencompass communications media 810, such as, but not limited to, adigital and/or an analog communication medium (e.g., a fiber opticcable, a waveguide, a wired communications link, a wirelesscommunication link, etc.). Thus, for example, the program product 800may be conveyed to one or more modules of the processor 604 by an RFsignal bearing medium, where the signal bearing media 802 is conveyed bythe wireless communications media 810 (e.g., a wireless communicationsmedium conforming with the IEEE 802.11 standard).

According to some examples, a method is provided to redirect data froman application sandbox to datacenters. The method may include executingan application in an application sandbox at a first device andestablishing a network connection between a sandboxed data store in theapplication sandbox and a first datacenter at a first geographiclocation. The method may further include exchanging a first data betweenthe application and the sandboxed data store and exchanging the firstdata between the sandboxed data store and the first datacenter via thenetwork connection.

According to some embodiments, the sandboxed data store may include afile and/or a directory. The method may further include establishinganother network connection between another sandboxed data store in theapplication sandbox and a second datacenter at a second geographiclocation, exchanging a second data between the application and the othersandboxed data store in the application sandbox, and exchanging thesecond data between the other sandboxed data store and the seconddatacenter at the second geographic location via the other networkconnection. The method may further include exchanging a second databetween the application and another sandboxed data store isolated fromall datacenters.

According to other embodiments, the method may further include executinganother application in another application sandbox at the first device,exchanging a third data between the other application and anothersandboxed data store in the other application sandbox, and isolating theother sandboxed data store in the other application sandbox from alldatacenters. The method may further include updating the networkconnection to end at a third datacenter at a third geographic locationand subsequently exchanging the first data between the sandboxed datastore and the third datacenter via the network connection. The networkconnection may be established and/or updated using a sandbox dataservicer module being executed on the first device and/or based ondatacenter information provided by a geo-manager module. The datacenterinformation may be provided as an application programming interface(API) message, a JavaScript Object Notation (JSON) object, and/or anExtensible Markup Language (XML) object. The datacenter informationand/or the first data exchanged via the network connection may beencrypted.

According to further embodiments, the method may further includeexchanging the first data between the sandboxed data store and the firstdatacenter in a first session and maintaining a session continuity bysubsequently exchanging the first data between the sandboxed data storeand the third datacenter in the same first session. The geo-managermodule may be located at the first datacenter, the second datacenter,the third datacenter, or a separate entity. The method may furtherinclude establishing and/or updating the network connection based on oneor more parameters associated with the application and/or the firstdevice. The parameter(s) may include a geographic location associatedwith the first device, a geographic location associated with theapplication, the first geographic location, and/or the third geographiclocation.

According to other examples, a device is provided to redirect data froman application sandbox to datacenters. The device may include a memory,a sandboxing module configured to provide an application sandbox and asandboxed data store in the memory, and a processing module. Theprocessing module may be configured to execute an application in theapplication sandbox and establish a network connection between thesandboxed data store and a first datacenter at a first geographiclocation. The processing module may be further configured to exchange afirst data between the application and the sandboxed data store andexchange the first data between the sandboxed data store and the firstdatacenter via the network connection.

According to some embodiments, the sandboxed data store may include afile and/or a directory. The processing module may be further configuredto establish another network connection between another sandboxed datastore in the application sandbox and a second datacenter at a secondgeographic location, exchange a second data between the application andthe other sandboxed data store in the application sandbox, and exchangethe second data between the other sandboxed data store and the seconddatacenter at the second geographic location via the other networkconnection. The processing module may be further configured to exchangea second data between the application and another sandboxed data storeisolated from all datacenters.

According to other embodiments, the processing module may be furtherconfigured to execute another application in another applicationsandbox, exchange a third data between the other application and anothersandboxed data store in the other application sandbox, and isolate theother sandboxed data store in the other application sandbox from alldatacenters. The processing module may be further configured to updatethe network connection to end at a third datacenter at a thirdgeographic location and subsequently exchange the first data between thesandboxed data store and the third datacenter via the networkconnection. The processing module may be further configured to execute asandbox data servicer module to establish and/or update the networkconnection. The processing module may be further configured to receivedatacenter information provided by a geo-manager module and establishand/or update the network connection based on the datacenterinformation. The datacenter information may be received as anapplication programming interface (API) message, a JavaScript ObjectNotation (JSON) object, and/or an Extensible Markup Language (XML)object. The datacenter information and/or the first data exchanged viathe network connection may be encrypted.

According to further embodiments, the processing module may be furtherconfigured to exchange the first data between the sandboxed data storeand the first datacenter in a first session and maintain a sessioncontinuity by subsequently exchanging the first data between thesandboxed data store and the third datacenter in the same first session.The geo-manager module may be located at the first datacenter, thesecond datacenter, the third datacenter, or a separate entity. Theprocessing module may be further configured to establish and/or updatethe network connection based on one or more parameters associated withthe application and/or the first device. The parameter(s) may include ageographic location associated with the first device, a geographiclocation associated with the application, the first geographic location,and/or the third geographic location.

According to further examples, a method is provided for geo-spatial loadbalancing and data management across datacenters. The method may includereceiving application information associated with an application beingexecuted in a device sandbox, determining, based on the applicationinformation and geospatial information associated with multipledatacenters, a destination datacenter selected from the multipledatacenters, and updating the application based on the destinationdatacenter.

According to some embodiments, the method may further include receivingother application information associated with another applicationexecuting in another device sandbox, determining another destinationdatacenter selected from the multiple datacenters based on the otherapplication information and the geospatial information, and updating theother application based on the other destination datacenter. Updatingthe application may include providing an update to a sandbox dataservicer module associated with the application.

According to other embodiments, the method may further include providingthe update as an application programming interface (API) message, aJavaScript Object Notation (JSON) object, and/or an Extensible MarkupLanguage (XML) object. The method may further include encrypting theupdate and/or determining the destination datacenter based on one ormore parameters associated with the application and/or a deviceexecuting the application. The parameter(s) may include a geographiclocation associated with the device, a geographic location associatedwith the application, and/or a geographic location associated with thedestination datacenter.

According to yet further examples, a geo-manager module is provided toredirect data from application sandboxes to datacenters. The geo-managermodule may include a memory configured to store geospatial informationassociated with multiple datacenters and a processing module. Theprocessing module may be configured to receive application informationassociated with an application being executed in a device sandbox,determine, based on the application information and the geospatialinformation, a destination datacenter selected from the multipledatacenters, and provide an update for the application based on thedestination datacenter.

According to some embodiments, the processing module may be configuredto determine another destination datacenter selected from the multipledatacenters based on the application information and the geospatialinformation, and provide the update for the application based on thedestination datacenter and the other destination datacenter. Theprocessing module may be configured to provide the update to a sandboxdata servicer module associated with the application. The processingmodule may further be configured to encrypt the update and/or providethe update as an application programming interface (API) message, aJavaScript Object Notation (JSON) object, and/or an Extensible MarkupLanguage (XML) object.

There is little distinction left between hardware and softwareimplementations of aspects of systems; the use of hardware or softwareis generally (but not always, in that in certain contexts the choicebetween hardware and software may become significant) a design choicerepresenting cost vs. efficiency tradeoffs. There are various vehiclesby which processes and/or systems and/or other technologies describedherein may be effected (e.g., hardware, software, and/or firmware), andthat the preferred vehicle will vary with the context in which theprocesses and/or systems and/or other technologies are deployed. Forexample, if an implementer determines that speed and accuracy areparamount, the implementer may opt for a mainly hardware and/or firmwarevehicle; if flexibility is paramount, the implementer may opt for amainly software implementation; or, yet again alternatively, theimplementer may opt for some combination of hardware, software, and/orfirmware.

The foregoing detailed description has set forth various embodiments ofthe devices and/or processes via the use of block diagrams, flowcharts,and/or examples. Insofar as such block diagrams, flowcharts, and/orexamples contain one or more functions and/or operations, it will beunderstood by those within the art that each function and/or operationwithin such block diagrams, flowcharts, or examples may be implemented,individually and/or collectively, by a wide range of hardware, software,firmware, or virtually any combination thereof. In one embodiment,several portions of the subject matter described herein may beimplemented via Application Specific Integrated Circuits (ASICs), FieldProgrammable Gate Arrays (FPGAs), digital signal processors (DSPs), orother integrated formats. However, those skilled in the art willrecognize that some aspects of the embodiments disclosed herein, inwhole or in part, may be equivalently implemented in integratedcircuits, as one or more computer programs executing on one or morecomputers (e.g., as one or more programs executing on one or morecomputer systems), as one or more programs executing on one or moreprocessors (e.g., as one or more programs executing on one or moremicroprocessors), as firmware, or as virtually any combination thereof,and that designing the circuitry and/or writing the code for thesoftware and or firmware would be well within the skill of one of skillin the art in light of this disclosure.

The present disclosure is not to be limited in terms of the particularembodiments described in this application, which are intended asillustrations of various aspects. Many modifications and variations canbe made without departing from its spirit and scope, as will be apparentto those skilled in the art. Functionally equivalent methods andapparatuses within the scope of the disclosure, in addition to thoseenumerated herein, will be apparent to those skilled in the art from theforegoing descriptions. Such modifications and variations are intendedto fall within the scope of the appended claims. The present disclosureis to be limited only by the terms of the appended claims, along withthe full scope of equivalents to which such claims are entitled. It isalso to be understood that the terminology used herein is for thepurpose of describing particular embodiments only, and is not intendedto be limiting.

In addition, those skilled in the art will appreciate that themechanisms of the subject matter described herein are capable of beingdistributed as a program product in a variety of forms, and that anillustrative embodiment of the subject matter described herein appliesregardless of the particular type of signal bearing medium used toactually carry out the distribution. Examples of a signal bearing mediuminclude, but are not limited to, the following: a recordable type mediumsuch as a floppy disk, a hard disk drive, a Compact Disc (CD), a DigitalVersatile Disk (DVD), a digital tape, a computer memory, a solid statedrive, etc.; and a transmission type medium such as a digital and/or ananalog communication medium (e.g., a fiber optic cable, a waveguide, awired communications link, a wireless communication link, etc.).

Those skilled in the art will recognize that it is common within the artto describe devices and/or processes in the fashion set forth herein,and thereafter use engineering practices to integrate such describeddevices and/or processes into data processing systems. That is, at leasta portion of the devices and/or processes described herein may beintegrated into a data processing system via a reasonable amount ofexperimentation. Those having skill in the art will recognize that adata processing system may include one or more of a system unit housing,a video display device, a memory such as volatile and non-volatilememory, processors such as microprocessors and digital signalprocessors, computational entities such as operating systems, drivers,graphical user interfaces, and applications programs, one or moreinteraction devices, such as a touch pad or screen, and/or controlsystems including feedback loops and control motors (e.g., feedback forsensing position and/or velocity of gantry systems; control motors tomove and/or adjust components and/or quantities).

A data processing system may be implemented utilizing any suitablecommercially available components, such as those found in datacomputing/communication and/or network computing/communication systems.The herein described subject matter sometimes illustrates differentcomponents contained within, or connected with, different othercomponents. It is to be understood that such depicted architectures aremerely exemplary, and that in fact many other architectures may beimplemented which achieve the same functionality. In a conceptual sense,any arrangement of components to achieve the same functionality iseffectively “associated” such that the desired functionality isachieved. Hence, any two components herein combined to achieve aparticular functionality may be seen as “associated with” each othersuch that the desired functionality is achieved, irrespective ofarchitectures or intermediate components. Likewise, any two componentson associated may also be viewed as being “operably connected”, or“operably coupled”, to each other to achieve the desired functionality,and any two components capable of being so associated may also be viewedas being “operably couplable”, to each other to achieve the desiredfunctionality. Specific examples of operably couplable include but arenot limited to physically connectable and/or physically interactingcomponents and/or wirelessly interactable and/or wirelessly interactingcomponents and/or logically interacting and/or logically interactablecomponents.

With respect to the use of substantially any plural and/or singularterms herein, those having skill in the art can translate from theplural to the singular and/or from the singular to the plural as isappropriate to the context and/or application. The varioussingular/plural permutations may be expressly set forth herein for sakeof clarity.

It will be understood by those within the art that, in general, termsused herein, and especially in the appended claims (e.g., bodies of theappended claims) are generally intended as “open” terms (e.g., the term“including” should be interpreted as “including but not limited to,” theterm “having” should be interpreted as “having at least,” the term“includes” should be interpreted as “includes but is not limited to,”etc.). It will be further understood by those within the art that if aspecific number of an introduced claim recitation is intended, such anintent will be explicitly recited in the claim, and in the absence ofsuch recitation no such intent is present. For example, as an aid tounderstanding, the following appended claims may contain usage of theintroductory phrases “at least one” and “one or more” to introduce claimrecitations. However, the use of such phrases should not be construed toimply that the introduction of a claim recitation by the indefinitearticles “a” or “an” limits any particular claim containing suchintroduced claim recitation to embodiments containing only one suchrecitation, even when the same claim includes the introductory phrases“one or more” or “at least one” and indefinite articles such as “a” or“an” (e.g., “a” and/or “an” should be interpreted to mean “at least one”or “one or more”); the same holds true for the use of definite articlesused to introduce claim recitations. In addition, even if a specificnumber of an introduced claim recitation is explicitly recited, thoseskilled in the art will recognize that such recitation should beinterpreted to mean at least the recited number (e.g., the barerecitation of “two recitations,” without other modifiers, means at leasttwo recitations, or two or more recitations).

Furthermore, in those instances where a convention analogous to “atleast one of A, B, and C, etc.” is used, in general such a constructionis intended in the sense one having skill in the art would understandthe convention (e.g., “a system having at least one of A, B, and C”would include but not be limited to systems that have A alone, B alone,C alone, A and B together, A and C together, B and C together, and/or A,B, and C together, etc.). It will be further understood by those withinthe art that virtually any disjunctive word and/or phrase presenting twoor more alternative terms, whether in the description, claims, ordrawings, should be understood to contemplate the possibilities ofincluding one of the terms, either of the terms, or both terms. Forexample, the phrase “A or B” will be understood to include thepossibilities of “A” or “B” or “A and B.”

As will be understood by one skilled in the art, for any and allpurposes, such as in terms of providing a written description, allranges disclosed herein also encompass any and all possible subrangesand combinations of subranges thereof. Any listed range can be easilyrecognized as sufficiently describing and enabling the same range beingbroken down into at least equal halves, thirds, quarters, fifths,tenths, etc. As anon-limiting example, each range discussed herein canbe readily broken down into a lower third, middle third and upper third,etc. As will also be understood by one skilled in the art all languagesuch as “up to,” “at least,” “greater than,” “less than,” and the likeinclude the number recited and refer to ranges which can be subsequentlybroken down into subranges as discussed above. Finally, as will beunderstood by one skilled in the art, a range includes each individualmember. Thus, for example, a group having 1-3 cells refers to groupshaving 1, 2, or 3 cells. Similarly, a group having 1-5 cells refers togroups having 1, 2, 3, 4, or 5 cells, and so forth.

While various aspects and embodiments have been disclosed herein, otheraspects and embodiments will be apparent to those skilled in the art.The various aspects and embodiments disclosed herein are for purposes ofillustration and are not intended to be limiting, with the true scopeand spirit being indicated by the following claims.

1. A method to redirect data from an application sandbox to datacenters,the method comprising: executing an application in an applicationsandbox at a first device; establishing a network connection between asandboxed data store in the application sandbox and a first datacenterat a first geographic location; exchanging a first data between theapplication and the sandboxed data store; exchanging the first databetween the sandboxed data store and the first datacenter via thenetwork connection; and exchanging a second data between the applicationand another sandboxed data store, wherein the other sandboxed data storeis isolated from all datacenters.
 2. (canceled)
 3. The method of claim1, further comprising: establishing another network connection betweenanother sandboxed data store in the application sandbox and a seconddatacenter at a second geographic location; exchanging a second databetween the application and the other sandboxed data store in theapplication sandbox; and exchanging the second data between the othersandboxed data store and the second datacenter at the second geographiclocation via the other network connection.
 4. (canceled)
 5. The methodof claim 1, further comprising: executing another application in anotherapplication sandbox at the first device; exchanging a third data betweenthe other application and another sandboxed data store in the otherapplication sandbox; and isolating the other sandboxed data store in theother application sandbox from all datacenters.
 6. The method of claim1, further comprising: updating the network connection to end at a thirddatacenter at a third geographic location; and subsequently exchangingthe first data between the sandboxed data store and the third datacentervia the network connection.
 7. The method of claim 6, further comprisingestablishing and/or updating the network connection using a sandbox dataservicer module being executed on the first device.
 8. (canceled) 9.(canceled)
 10. (canceled)
 11. The method of claim 6, further comprising:exchanging the first data between the sandboxed data store and the firstdatacenter in a first session; and maintaining a session continuity bysubsequently exchanging the first data between the sandboxed data storeand the third datacenter in the same first session.
 12. (canceled) 13.The method of claim 6, further comprising establishing and/or updatingthe network connection based on at least one parameter associated withan application and/or a first device.
 14. The method of claim 13,wherein the at least one parameter includes a geographic locationassociated with the first device, a geographic location associated withthe application, the first geographic location, and/or the thirdgeographic location.
 15. A device configured to redirect data from anapplication sandbox to datacenters, the device comprising: a memory; asandboxing module configured to provide: an application sandbox; and asandboxed data store in the memory; and a processing module configuredto: execute an application in the application sandbox; establish anetwork connection between the sandboxed data store and a firstdatacenter at a first geographic location; exchange a first data betweenthe application and the sandboxed data store; exchange the first databetween the sandboxed data store and the first datacenter via thenetwork connection; receive datacenter information provided by ageo-manager module; establish and/or update the network connection basedon the datacenter information; and encrypt one or more of the datacenterinformation and the first data exchanged via the network connection. 16.(canceled)
 17. The device of claim 15, wherein the processing module isfurther configured to: establish another network connection betweenanother sandboxed data store in the application sandbox and a seconddatacenter at a second geographic location; exchange a second databetween the application and the other sandboxed data store in theapplication sandbox; and exchange the second data between the othersandboxed data store and the second datacenter at the second geographiclocation via the other network connection.
 18. (canceled)
 19. The deviceof claim 15, wherein the processing module is further configured to:execute another application in another application sandbox; exchange athird data between the other application and another sandboxed datastore in the other application sandbox; and isolate the other sandboxeddata store in the other sandbox from all datacenters.
 20. The device ofclaim 15, wherein the processing module is further configured to: updatethe network connection to end at a third datacenter at a thirdgeographic location; and subsequently exchange the first data betweenthe sandboxed data store and the third datacenter via the networkconnection.
 21. The device of claim 20, wherein the processing module isfurther configured to execute a sandbox data servicer module toestablish and/or update the network connection.
 22. (canceled) 23.(canceled)
 24. (canceled)
 25. The device of claim 20, wherein theprocessing module is further configured to: exchange the first databetween the sandboxed data store and the first datacenter in a firstsession; and maintain a session continuity by subsequently exchangingthe first data between the sandboxed data store and the third datacenterin the same first session.
 26. (canceled)
 27. The device of claim 20,wherein the processing module is further configured to establish and/orupdate the network connection based on at least one parameter associatedwith an application and/or a first device.
 28. The device of claim 27,wherein the at least one parameter includes a geographic locationassociated with the first device, a geographic location associated withthe application, the first geographic location, and/or the thirdgeographic location.
 29. A method for geo-spatial load balancing anddata management across datacenters, comprising: receiving applicationinformation associated with an application being executed in a devicesandbox; determining, based on the application information andgeospatial information associated with a plurality of datacenters, adestination datacenter selected from the plurality of datacenters;updating the application based on the destination datacenter, whereinupdating the application includes providing an update to a sandbox dataservicer module associated with the application; and encrypting theupdate.
 30. The method of claim 29, further comprising: receiving otherapplication information associated with another application executing inanother device sandbox; determining, based on the other applicationinformation and the geospatial information, another destinationdatacenter selected from the plurality of datacenters; and updating theother application based on the other destination datacenter. 31.(canceled)
 32. (canceled)
 33. (canceled)
 34. The method of claim 29,further comprising determining the destination datacenter based on atleast one parameter associated with an application and/or a deviceexecuting the application.
 35. The method of claim 34, wherein the atleast one parameter includes a geographic location associated with thedevice, a geographic location associated with the application, and/or ageographic location associated with the destination datacenter. 36.(canceled)
 37. (canceled)
 38. (canceled)
 39. (canceled)
 40. (canceled)